Features Introduced in February 2023

Learn what’s new on Prisma™ Cloud in February 2023.

New Features

FEATURE
DESCRIPTION
Enhancement
Role Assignment Modification for SSO Sign-In
If you have enabled access to users on Prisma Cloud using SSO with JIT provisioning, you can no longer modify their roles in the Prisma Cloud administrative console, unless they have previously been added to an SSO bypass list. The role management for these users needs to be completed from the Identity Provider (IdP) for the change to take effect.
Users on the SSO bypass list can modify their roles and login directly to the Prisma Cloud console using credentials. However, once you opt to sign-in using SSO, your role will get reset to the IdP provisioned role.

API Ingestions

SERVICE
API DETAILS
Amazon ECR
aws-ecr-registry
Additional permissions required:
  • ecr:GetRegistryPolicy
  • ecr:DescribeRegistry
  • ecr:DescribePullThroughCacheRules
You must manually add the permissions or update the CFT template to enable them.
Amazon Chime
aws-chime-voice-connector
Additional permissions required:
  • chime:ListVoiceConnectors
  • chime:GetVoiceConnectorLoggingConfiguration
The Security Audit role only includes the
chime:ListVoiceConnectors
permission.
You must manually add the permission or update the CFT template to enable
chime:GetVoiceConnectorLoggingConfiguration
.
Google Analytics Hub
gcloud-analytics-hub-data-exchange-listing
Additional permissions required:
  • analyticshub.dataExchanges.list
  • analyticshub.listings.list
  • analyticshub.dataExchanges.getIamPolicy
The Viewer role includes the permissions.
Google Compute Engine
gcloud-compute-external-vpn-gateway
Additional permission required:
  • compute.externalVpnGateways.list
The Viewer role includes the permission.
Google Dataproc Metastore
gcloud-dataproc-metastore-federation
Additional permissions required:
  • metastore.locations.list
  • metastore.federations.list
  • metastore.federations.getIamPolicy
The Viewer role includes the permissions.

New Policies

NEW POLICIES
DESCRIPTION
DNS Rebinding Activity Anomaly Policy
A new
DNS rebinding activity
anomaly policy is now available on the
Policies
page in Prisma Cloud. It detects when computing resources perform domain requests for rebinding domains by inspecting every DNS request performed by all monitored compute resources and looking for consecutive anomalous requests.
By default, the alert disposition of the policy is set to conservative.
Azure AKS cluster is not configured with disk encryption set
Identifies AKS clusters that are not configured with disk encryption set. Azure Key Vault Provider for Secrets Store CSI Driver allows for the integration of an Azure key vault as a secrets store with an Azure Kubernetes Service (AKS) cluster via a CSI volume. It is recommended to enable secret store CSI driver for your Kubernetes clusters.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-kubernetes-cluster' AND json.rule = properties.powerState.code equal ignore case Running and properties.addonProfiles.azureKeyvaultSecretsProvider.enabled is false
Azure Service Fabric cluster not configured with cluster protection level security
Identifies Service Fabric clusters that are not configured with cluster protection level security. Service Fabric provides levels of protection for node-to-node communication using a primary cluster certificate. It is recommended to set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-service-fabric-cluster' AND json.rule = properties.provisioningState equal ignore case Succeeded and ((properties.fabricSettings[*].name does not equal ignore case "Security" and properties.fabricSettings[*].parameters[*].name does not equal ignore case "ClusterProtectionLevel") or (properties.fabricSettings[?any(name equal ignore case "Security" and parameters[?any(name equal ignore case "ClusterProtectionLevel" and value equal ignore case "None")] exists )] exists))

Policy Updates

POLICY UPDATES
DESCRIPTION
Policy Updates-RQL
AWS EC2 instance that is internet reachable with unrestricted access (0.0.0.0/0) other than HTTP/HTTPS port
Changes—
The policy name and description are updated.The policy RQL is updated to report instances configured with HTTP (80) and HTTP (443) ports, which are in active state only.
Current Name—
AWS EC2 instance that is internet reachable with unrestricted access (0.0.0.0/0) other than HTTP/HTTPS port
Updated Name—
AWS EC2 instance that is internet reachable with unrestricted access (0.0.0.0/0)
Updated Description—
Identifies AWS EC2 instances that are internet reachable with unrestricted access (0.0.0.0/0). EC2 instances with unrestricted access to the internet may enable bad actors to use brute force on a system to gain unauthorised access to the entire network. As a best practice, restrict traffic from unknown IP addresses and limit the access to known hosts, services, or specific entities.
Current RQL—
config from network where source.network = '0.0.0.0/0' and address.match.criteria = 'full_match' and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS' and protocol.ports in ( 'tcp/0:79', 'tcp/81:442', 'tcp/444:65535' )
Updated RQL—
config from network where source.network = '0.0.0.0/0' and address.match.criteria = 'full_match' and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS' and dest.resource.state = 'Active'
Impact—
Medium. Existing alerts will be resolved as
Policy_Updated
for instances that are no longer active. New alerts are generated when the instance is connected to the internet and configured with an HTTP / HTTPS port.
AWS Glue connection do not have SSL configured
Changes—
The policy RQL has been updated to exclude AWS Glue with connection type as Network from reporting because they cannot be configured for SSL.
Current RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-glue-connection' AND json.rule = (connectionType equals KAFKA and connectionProperties.KAFKA_SSL_ENABLED is false) or (connectionType does not equal KAFKA and connectionProperties.JDBC_ENFORCE_SSL is false)
Updated RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-glue-connection' AND json.rule = ((connectionType equals KAFKA and connectionProperties.KAFKA_SSL_ENABLED is false) or (connectionType does not equal KAFKA and connectionProperties.JDBC_ENFORCE_SSL is false)) and connectionType does not equal "NETWORK"
Impact—
Low. Existing alerts will be resolved as
Policy_Updated
.
Azure Virtual Network subnet is not configured with a Network Security Group
Changes—
The policy RQL is updated to exclude the private endpoint and private link associated subnets.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-subnet-list' AND json.rule = networkSecurityGroupId does not exist and name does not equal ignore case "GatewaySubnet" and name does not equal ignore case "AzureFirewallSubnet" and ['properties.delegations'][*].['properties.serviceName'] does not equal "Microsoft.Netapp/volumes" and ['properties.privateEndpointNetworkPolicies'] equals Enabled and ['properties.privateLinkServiceNetworkPolicies'] equals Enabled
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-subnet-list' AND json.rule = networkSecurityGroupId does not exist and name does not equal ignore case "GatewaySubnet" and name does not equal ignore case "RouteServerSubnet" and name does not equal ignore case "AzureFirewallSubnet" and ['properties.delegations'][*].['properties.serviceName'] does not equal "Microsoft.Netapp/volumes"
Impact—
Medium. Existing alerts will be resolved as
Policy_Updated
for which private endpoint is in disabled state. New alerts are generated for private endpoints in disabled state with no network security group.
Policy Updates-Metadata
GCP VPC Network subnets have Private Google access disabled
Changes—
The policy remediation CLI command description to define granular permissions required for running the remediation CLI command is updated.
Updated Remediation CLI Description—
This CLI command requires 'compute.subnetworks.setPrivateIpGoogleAccess', 'compute.subnetworks.setPrivateIpGoogleAccess' and 'compute.subnetworks.update' permissions. Successful execution will enable GCP VPC Network subnets 'Private Google access'.
Impact—
No impact on alerts.
GCP Storage buckets are publicly accessible to all authenticated users
Changes—
The policy remediation CLI command description to define granular permissions required for running the remediation CLI command is updated.
Updated Remediation CLI Description—
This CLI command requires 'storage.buckets.getIamPolicy’ and 'storage.buckets.setIamPolicy' permissions. Successful execution will revoke 'allAuthenticatedUsers' permission access in GCP Storage buckets.
Impact—
No impact on alerts.
GCP Storage log buckets have object versioning disabled
Changes—
The policy remediation CLI command description to define granular permissions required for running the remediation CLI command is updated.
Updated Remediation CLI Description—
This CLI command requires 'storage.buckets.update' permission. Successful execution will enable GCP Storage log buckets 'versioning'.
Impact—
No impact on alerts.
GCP Storage buckets are publicly accessible to all users
Changes—
The policy remediation CLI command description to define granular permissions required for running the remediation CLI command is updated.
Updated Remediation CLI Description—
This CLI command requires 'storage.buckets.getIamPolicy' and 'storage.buckets.setIamPolicy' permissions. Successful execution will revoke 'allUsers' permission access in GCP Storage buckets.
Impact—
No impact on alerts.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK
DESCRIPTION
Update
AWS Foundational Security Best Practices Standard
The AWS Foundational Security Best Practices standard has been updated to map default policies to the relevant sections.
Impact—
No impact on alerts. The compliance report score will be impacted because of the new mapping.

Changes in Existing Behavior

FEATURE
DESCRIPTION
Google Cloud Task Update
Prisma Cloud will no longer ingest
gcloud-cloud-task
API related resources because these are ephemeral. As a result, all
gcloud-cloud-task
resources will be deleted from your tenant.
Impact—
No impact on alerts.

Deprecation Notices

FEATURE
DESCRIPTION
Legacy IaC Scan on app.govcloud.io is End of Support
Prisma Cloud no longer supports legacy IaC scanning on GovCloud. The IaC Scan plugins and the DevOps dashboard have been removed from the platform.

New Features

FEATURE
DESCRIPTION
Asset Class Filter
An Asset Class is an an asset attribute that aligns with the generally intended application of a given asset type. The new
Asset Class
filter is available on the
Asset Inventory
and
Alerts Overview
pages and allows you to filter assets based on the following asset classes:
  • Code
  • Compute
  • Database
  • Identity and Security
  • Network
  • Other
  • Storage
    When you use this filter, the results on the Prisma Cloud console are narrowed to display the list of assets that match your criterion.
Performance Improvements for Investigate RQL Queries
The
config
and
event
query results on the
Investigate
page are optimized to load the initial set of results significantly faster. To enable faster load times, the backend automatically uses a heuristic search to retrieve search results for your query. When you enter the query and click
Search
, the interface loads the first 100 search results, and you can use the
Load More
button to fetch more results. The
Get Total Count
button enables you to get a full count of all pertinent results, and is available for eligible queries that include attributes that support the heuristic search only.
All
config
attributes
except
cloud.accountgroup, azure.resource.group, limit search records, aggregate functions (count and group by), and all finding type attributes such as finding.type, finding.severity, are currently optimized for faster search results. For event queries, the attribute cloud type supports heuristic search.
API Access Key Expiration Notifications
Prisma Cloud allows you to create and manage API keys to facilitate programmatic access to our features and functionality. To ensure uninterrupted access to Prisma Cloud APIs, you can now set up the following Access Key Expiration Notifications:
  • Email notifications for named user Access Keys
  • Alarm Center notifications for Service Account Access Keys
Navigate to
Enterprise Settings
Access Key Expiration Notifications
to set a notification threshold prior to access key expiration.
Updates to Access Key Expiration Notifications settings may take up to 24 hours to take effect.
Support for AWS Tags on Prisma Cloud IAM
Prisma Cloud IAM now supports AWS tags. Leverage tags to create RQL queries and dynamic custom policies, by using specific tags to group your cloud resources, roles, groups, policies, etc. when defining your alert rules.
Send Audit Logs to External Integrations
Forward audit logs from Prisma Cloud to an external integration that you have configured to integrate with your existing security workflows.
  • Select
    Settings
    Enterprise Settings
    .
  • Enable,
    Send Audit Logs to integration
    .
  • Select the AWS SQS or Webhooks notification channel to send the audit logs.
    All new audit logs that are generated after you enable the integration will be sent to this channel. You can view the audit logs on
    Settings
    Audit Logs
    on Prisma Cloud.
Prisma Cloud does not forward
Successful Login
type audit log messages to external integrations to minimize noise and log flooding. However, all other audit log types can be forwarded to any supported external integration such as Webhook or SQS. For example, Prisma Cloud does not forward the following audit log message.
'xxx@paloaltonetworks.com'(with role 'System Admin':'System Admin') logged in via password
Support for Azure Permission Levels on Prisma Cloud IAM
Prisma Cloud IAM now leverages Azure Permission levels for better visibility into your Azure identity permissions, providing you with a more granular view of granted permissions. In addition, you can use these new attributes to create custom policies to more closely monitor your cloud resources.
Update
IAM Query Attributes
The new
CONTAINS ALL
operator is now supported for the
action.name
attribute. With this operator, you can run queries with AND logic in between values. For example, if you want to get only roles that contain all actions: X, Y, and Z:
config from iam where action.name CONTAINS ALL ( 'Microsoft.AgFoodPlatform/farmBeats/seasons/write', 'Microsoft.AgFoodPlatform/fields/delete' )
Use this operator to more granularly query groups, roles, and policies.

API Ingestions

SERVICE
API DETAILS
Amazon CloudWatch
aws-cloudwatch-insight-rule
Additional permissions required:
  • cloudwatch:DescribeInsightRules
  • cloudwatch:ListTagsForResource
The Security Audit role includes the permissions.
Amazon Kinesis Video
aws-kinesis-video-stream
Additional permissions required:
  • kinesisvideo:ListTagsForStream
  • kinesisvideo:ListStreams
  • kinesisvideo:DescribeNotificationConfiguration
You must add the permissions manually or use CFT template to update the permissions.
Google Analytics Hub
gcloud-analytics-hub-data-exchange
Additional permission required:
  • analyticshub.dataExchanges.list
The Viewer role includes the permission.
Google Compute Engine
gcloud-compute-vpn-gateway
Additional permission required:
  • compute.vpnGateways.list
The Viewer role includes the permission.
Google Compute Engine
gcloud-compute-target-vpn-gateway
Additional permission required:
  • compute.targetVpnGateways.list
The Viewer role includes the permission.
OCI Certificate
oci-certificate-certificates
Additional permissions required:
  • inspect leaf-certificates
  • read leaf-certificates
You must manually add these permissions.
OCI Cloud Guard
oci-cloudguard-security-zone
Additional permissions required:
  • inspect security-zone
  • read security-zone
You must manually add these permissions.
OCI Cloud Guard
oci-cloudguard-security-recipe
Additional permissions required:
  • inspect security-recipe
  • read security-recipe
You must manually add these permissions.
OCI Data Safe
oci-data-safe-private-endpoint
Additional permissions required:
  • inspect data-safe-private-endpoints
  • read data-safe-private-endpoints
You must manually add these permissions.
OCI Data Safe
oci-data-safe-target-database
Additional permissions required:
  • inspect target-databases
  • read target-databases
You must manually add these permissions.
OCI IAM
oci-iam-dynamic-group
Additional permission required:
  • inspect dynamic-groups
You must manually add the permission.
OCI NoSQL Database
oci-nosql-database-table
Additional permissions required:
  • inspect nosql-tables
  • read nosql-tables
You must manually add these permissions.
OCI Scanning
oci-scanning-host-scantarget
Additional permissions required:
  • inspect host-scan-targets
  • read host-scan-targets
You must manually add these permissions.
OCI Scanning
oci-scanning-host-scanrecipe
Additional permissions required:
  • inspect host-scan-recipes
  • read host-scan-recipes
You must manually add these permissions.
OCI Vaults
oci-vault-keyvault
Additional permissions required:
  • inspect vaults
  • read vaults
You must manually add these permissions.

New Policies

NEW POLICIES
DESCRIPTION
AWS SSM documents are public
Identifies list of SSM documents that are public and might allow unintended access. A public SSM document can expose valuable information about your account, resources, and internal processes. It is recommended to only share SSM documents to only few private AWS accounts based on the requirement.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ssm-document' AND json.rule = accountSharingInfoList[*].accountId equal ignore case "all"
AWS CloudFront distributions does not have a default root object configured
Identifies list of CloudFront distributions which does not have default root object configured. If a CloudFront distribution does not have a default root object configured, requests for the root of your distribution pass to your origin server which might return a list of the private contents of your origin. To avoid exposing the contents of your distribution or returning an error it is recommended to specify a default root object.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-cloudfront-list-distributions' AND json.rule = defaultRootObject is empty
Azure Storage account is not configured with private endpoint connection
Identifies Storage accounts that are not configured with a private endpoint connection. Azure Storage account private endpoints can be configured using Azure Private Link. Private Link allows users to access an Azure Storage account from within the virtual network or from any peered virtual network. When Private Link is combined with restricted NSG policies, it helps reduce the risk of data exfiltration. It is recommended to configure Private Endpoint Connection to Storage account.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-storage-account-list' AND json.rule = properties.provisioningState equals Succeeded and networkRuleSet.defaultAction equal ignore case Allow and networkRuleSet.virtualNetworkRules is empty and networkRuleSet.ipRules[*] is empty and properties.privateEndpointConnections[*] is empty
Azure Microsoft Defender for Cloud set to Off for Resource Manager
Identifies Azure Microsoft Defender for Cloud which has defender setting for Resource Manager (ARM) set to Off. Enabling Azure Defender for ARM provides protection against issues like Suspicious resource management operations, Use of exploitation toolkits, Lateral movement from the Azure management layer to the Azure resources data plane. It is highly recommended to enable Azure Defender for ARM.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = pricings[?any(name equal ignore case Arm and properties.pricingTier does not equal ignore case Standard)] exists
GCP SQL server instance database flag 3625 (trace flag) is not set to on
Identifies GCP SQL server instance for which database flag 3625 (trace flag) is not set to on. Trace flag can help prevent the disclosure of sensitive information by masking the parameters of some error messages using '*', for users who are not members of the sysadmin fixed server role. It is recommended to set 3625 (trace flag) database flag for SQL Server instance to on.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-sql-instances-list' AND json.rule = "databaseVersion contains SQLSERVER and state equals RUNNABLE and (settings.databaseFlags[*].name does not contain 3625 or settings.databaseFlags[?any(name contains 3625 and value contains off)] exists)"

Policy Updates

POLICY UPDATES
DESCRIPTION
Policy Updates-RQL
Activity Log Retention should not be set to less than 365 days
Changes—
The policy name, description,and recommendations are updated according to the latest vendor UI settings.The policy RQL is updated to check log profile status so that disabled log profiles will be reported.
Current Name—
Activity Log Retention should not be set to less than 365 days
Updated Name—
Azure Activity Log retention should not be set to less than 365 days
Updated Description—
Identifies Log profiles which have log retention set to less than 365 days. Log profile controls how your Activity Log is exported and retained. Since the average time to detect a breach is over 200 days, it is recommended to retain your activity log for 365 days or more in order to have time to respond to any incidents.
Current RQL—
config from cloud.resource where cloud.type = 'azure' AND cloud.service = 'Azure Monitor' AND api.name = 'azure-monitor-log-profiles-list' AND json.rule = 'isLegacy is true and (properties.retentionPolicy !exists or (properties.retentionPolicy.days != 0 and properties.retentionPolicy.days < 365))'
Updated RQL—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-monitor-log-profiles-list' AND json.rule = isLegacy is true and (properties.retentionPolicy does not exist or properties.retentionPolicy.enabled is false or (properties.retentionPolicy.enabled is true and (properties.retentionPolicy.days does not equal 0 and properties.retentionPolicy.days < 365)))
Impact—
Low. New alerts will be generated for disabled log profiles.
Policy Updates-Metadata
AWS Certificate Manager (ACM) has invalid or failed certificate
Changes—
The policy description is updated.
Updated Description—
Identifies certificates in ACM which are either in Invalid or Failed state. If the ACM certificate is not validated within 72 hours, it becomes Invalid. An ACM certificate fails when,
  • the certificate is requested for invalid public domains
  • the certificate is requested for domains which are not allowed
  • missing contact information
  • typographical errors
In such cases (Invalid or Failed certificate), you will have to request for a new certificate. It is strongly recommended to delete the certificates which are in failed or invalid state.
Impact—
No impact on alerts.
AWS ECS/ Fargate task definition root user found
Changes—
The policy name and description are updated.
Current Name—
AWS ECS/ Fargate task definition root user found
Updated Name—
AWS ECS Fargate task definition root user found
Updated Description—
Identifies AWS ECS Fargate task definition which has user name as root. As a best practice, the user name to use inside the container should not be root. Note: This parameter is not supported for Windows containers.
Impact—
No impact on alerts.
CloudTrail trail is not integrated with CloudWatch Log
Changes—
The policy name and description are updated.
Current Name—
CloudTrail trail is not integrated with CloudWatch Log
Updated Name—
AWS CloudTrail trail logs is not integrated with CloudWatch Log
Updated Description—
Identifies AWS CloudTrail which has trail logs that are not integrated with CloudWatch Log. Enabling the CloudTrail trail logs integrated with CloudWatch Logs will enable the real-time as well as historic activity logging. This will further improve monitoring and alarm capability.
Impact—
No impact on alerts.
S3 buckets with configurations set to host websites
Changes—
The policy name and description are updated.
Current Name—
S3 buckets with configurations set to host websites
Updated Name—
AWS S3 buckets with configurations set to host websites
Updated Description—
Identifies AWS S3 buckets that are configured to host websites. To host a website on AWS S3 you should configure a bucket as a website. By frequently surveying these S3 buckets, you can ensure that only authorized buckets are enabled to host websites. Make sure to disable static website hosting for unauthorized S3 buckets.
Impact—
No impact on alerts.
Azure Storage account container storing activity logs is publicly accessible
Changes—
The policy recommendation steps are updated to reflect CSP UI changes.
Impact—
No impact on alerts.
Azure Container Registry does not use a dedicated resource group
Changes—
The policy description and recommendation steps are updated to according to the new URL linked provided by CSP.
Impact—
No impact on alerts.
SQL Instances do not have SSL configured
Changes—
The policy name, description, and recommendation steps are updated.
Current Name—
SQL Instances do not have SSL configured
Updated Name—
GCP SQL Instances do not have valid SSL configuration
Updated Description—
Identifies GCP SQL instances that do not have valid SSL configuration with an unexpired SSL certificate. Cloud SQL supports connecting to an instance using the Secure Socket Layer (SSL) protocol. If Cloud SQL Auth proxy is not used for authentication, it is recommended to utilize SSL for connection to SQL Instance, ensuring the security for data in transit.
Impact—
No impact on alerts.
SQL DB Instance backup Binary logs configuration is not enabled
Changes—
The policy name, description, and recommendation steps are updated.
Current Name—
SQL DB Instance backup Binary logs configuration is not enabled
Updated Name—
GCP SQL MySQL DB instance point-in-time recovery backup (Binary logs) is not enabled
Updated Description—
identifies Cloud SQL MySQL DB instances whose point-in-time recovery backup is not enabled. In case of an error, point-in-time recovery helps you recover an instance to a specific point in time. It is recommended to enable automated backups with point-in-time recovery to prevent any data loss in case of an unwanted scenario.
Impact—
No impact on alerts.

Changes in Existing Behavior

FEATURE
DESCRIPTION
Global Region Support for Google VPC Firewall Rule
Prisma Cloud now provides global region support for
gcloud-compute-firewall-rules-list
. Due to this, all the resources will be deleted, and then regenerated on the management console.
Existing alerts corresponding to this resource are resolved as Resource_Deleted, and new alerts will be generated against policy violations.
Impact
—You may notice a reduced count for the number of alerts. However, the alert count will return to the original numbers once the resources for
gcloud-compute-firewall-rules-list
start ingesting data again.
Google VPC Network API Update
Prisma Cloud now provides global region support, as well as a backend update to the resource ID for the
gcloud-compute-networks-list API
. As a result, all resources for this API will be deleted and then regenerated on the management console.
Existing alerts corresponding to these resources will be resolved as Resource_Updated, and new alerts will be generated against policy violations if any.
Impact
—You may notice a reduced alert count. However, once the resources for
gcloud-compute-networks-list
resume ingesting data, the alert count will return to the original numbers.

REST API Updates

CHANGE
DESCRIPTION
Update
Enterprise Settings API
The
response
object for the GET /settings/enterprise endpoint now include the following additional properties:
  • auditLogSiemIntgrIds
  • auditLogsEnabled
The
request
body and
response
object for the POST /settings/enterprise endpoint now include the following additional properties:
  • auditLogSiemIntgrIds
  • auditLogsEnabled

Recommended For You